Cyber security's image problem has created a diversity nightmare

The cyber security industry has an image problem which is putting off capable candidates from pursuing careers in the profession.

The stock image tropes of the hacker in a hoodie and the overuse of language evoking warfare, lacks broad appeal – particularly among women – and narrows the potential talent pool, agreed a panel of security experts at the Gartner Security & Risk Management Summit in Sydney today.

“The language of security needs to change. The language effectively sets the tone and it frames what cyber security has become which is effectively: cyber now means war,” said Craig Templeton, chief information security officer at REA Group.

“All you have to do is Google cyber and you get pictures and imagery of warfare. It’s been hijacked by the military. You only have to look at how we advertise for roles: we talk about red teams, we talk about defence. It’s very militaristic; it attracts a certain kind of person. Frankly a lot of women and men aren’t attracted to that kind of environment and who would blame them."

Pip Wyrdeman, senior adviser on cyber policy at the Office of the Cyber Security Special Adviser which sits within the Department of the Prime Minister and Cabinet, said the profession’s diversity problem was a problem of presentation and called on marketers for help.

“Help us change the way we view ourselves and the way the population at large views us. It is fundamentally a marketing challenge,” she said.

“If we can work out how to sell to the buyer – the buyer being those people who might actually be interested in becoming part of the cyber community if only they knew they wanted to do that – I think it’s something that would be very valuable to us.”

Jonathan Goode, head of technology strategy and architecture, security at ANZ Bank, said the perception and reality of what it’s like to work in cyber security was changing.

“When I started…it was literally a closed room, a group of four of five males in a room locked away. Social skills perhaps weren’t our strength at the time. We just stared into computers all day and streamed various feeds from various data sources to try to run pen tests,” he said.

“The days of that being commonplace are transforming, we are moving away from that. We’ll always need those deep, technical skill sets – there’s no getting away from that – but it’s very much building out the breadth of those skills and finding people who can actually work at all levels,” Goode added.

Not all good in the hood

Commenting from the audience, Jetstar head of security Yvette Lejins, added: “I’ve grappled with that over my 20 year career in security, seeing the hoodies, seeing the dark dungeons, that blokey culture that cyber security has manifested. Although that is changing.”

“[There’s a] perception of what cyber security person looks like. If we change the way we talk about security we’ll start attracting more people into the profession. If we start to talk security in different ways you’ll have more people thinking: maybe I could do that or maybe I am interested. We have got a marketing problem,” he said.

Each speaker shared some of the practical steps they had taken to encourage more women into cyber security.

RAE Group ran its inaugural DevOps Girls event in February where women in the organisation were able to learn new skills and pair up with mentors. It also has an internal blog community for women working in technology and screens all job postings so the language is not gender biased.

Goode serves as a mentor with Vic ICT for Women, and ANZ Bank has a number of initiatives to boost diversity such as ensuring a female candidate is interviewed for every role and all roles can be worked flexibly.

The federal government – notably not subject to the gender diversity monitoring it imposes on companies through the Workplace Gender Equality Agency – today published a review of the literature on women in cyber security to better identify the barriers they face.

One in ten

According to a study published earlier this year female employees are vastly under-represented in cyber security, making up only 11 per cent of the global information security workforce and 10 per cent in the Asia-Pacific region.

A review of scientific literature – published this morning by the Department of the Prime Minister and Cabinet, UNSW Canberra Public Service Research Group and UNSW’s Australian Centre for Cyber Security – suggests a multitude of overlapping factors are affecting women's’ participation in cyber security.

“Exploratory research suggests that marketing, role models, and hiring practices are barriers to attracting women into the industry, and that workplace culture, a lack of flexible working arrangements and fear of failure impede women’s retention in the industry,” the report states.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.